Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Injector for Auto Encrypt CA Certificate Retrieval #313

Open
lawliet89 opened this issue Aug 20, 2020 · 1 comment
Open

Add Injector for Auto Encrypt CA Certificate Retrieval #313

lawliet89 opened this issue Aug 20, 2020 · 1 comment
Labels
theme/tls About running Consul with TLS type/enhancement New feature or request

Comments

@lawliet89
Copy link
Contributor

lawliet89 commented Aug 20, 2020
edited

My Consul cluster has Auto Encrypt turned on and is using the connect CA (Vault provider) for Consul agent certificates.

In order for other pods to talk to the local consul agent, I have to manually add an init container (like how the Consul Helm chart) does that calls get-consul-client-ca command to get the CA.

This can be simplified by having a mutating admission webhook automatically inject that init container for any pods with a set of annotations.

If polling mode is added as per #310, then the injector can also inject a sidecar.

Another workaround is to use Consul Template to populate some ConfigMaps in multiple namespaces automatically but it's not as "clean" as having an injector. (cf. https://github.com/basisai/consul-autoencrypt-k8s)
@ishustava ishustava added type/enhancement New feature or request theme/tls About running Consul with TLS labels Sep 10, 2020
@lawliet89
Copy link
Contributor Author

lawliet89 commented Jul 7, 2021
edited

Hey @david-yu, do you think this could be looked at? I am still using my consul template workaround and it's a little "yucky".

Edit: I have since moved to using the internal CA due to hashicorp/consul#8681. I understand that the Vault Agent injector is useful for Vault CA but this will not be usable when using the internal CA.

ndhanushkodi pushed a commit to ndhanushkodi/consul-k8s that referenced this issue Jul 9, 2021
@ishustava @tradel
Enable TLS (hashicorp#313)
c979a7f 
This commit exposes TLS configuration in the Helm chart and
makes the following changes:

 * Optionally allows you to turn on TLS by setting global.tls.enabled
   to true.
 * Exposes the default HTTPS port 8501 on clients and servers
   if TLS enabled.
 * Optionally allows you to disable HTTP ports on clients and servers
   by setting global.tls.httpsOnly to false.
 * Adds TLS bootstrapping job that generates Consul cluster CA,
   as well as server and client certificates signed by that CA.
 * Exposes UI service on port 443 if TLS is enabled.
 * Client certs are generated in an init container so that we can add
   HOST_IP as a SAN to enable other clients, e.g. sync-catalog, to talk to it
 * Update pod security policies to account for HTTPS ports exposed as
   as hostPort if TLS is enabled
 * Adds tls-init-cleanup job that deletes certs created by the tls-init
   job when the Helm chart is deleted.
 * Enables TLS for Consul Connect, Mesh gateways, Sync Catalog, ACL bootstrapping, and snapshot agent
  * Support incremental rollout of TLS on an existing cluster

Other fixes:
 * fix graceful termination for the servers (previously
   terminationGracePeriod was set to 10sec, which wasn't enough times
   or the servers to terminate).

Co-authored-by: Todd Radel <todd@radel.us>
@kphunter kphunter mentioned this issue Dec 11, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/tls About running Consul with TLS type/enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lawliet89 @ishustava